View previous topic :: View next topic |
Author |
Message |
kokyu n00b
Joined: 22 Dec 2011 Posts: 13
|
Posted: Tue Oct 09, 2012 4:34 pm Post subject: VPN (PPTP, OpenVPN, ...) with PAM/LDAP support |
|
|
Hi all,
in our company we're using currently PPTP with MS-CHAP2 and MPPE, and I recently introduced LDAP for all the SSH accounts on all machines to make modification to the global user database just easy.
However, we now are to do the same for VPN. It would be really great to let all users in the LDAP database (possibly with a flag) to also be granted to log in via VPN with their passwords stored in that very LDAP database.
Since PAM is configured to use LDAP, I am looking for either a VPN with PAM support or direct LDAP support.
However, I tried hard to find a guide for PPTP (pppd) to authenticate against PAM/LDAP, and I one even said it is not possible at all since PPTP with MS-CHAP is using a different password hash algorithm than shadow passwords are encrypted in and OpenVPN on the other hand did not look that great either.
So does anyone know how at best I could get a PPTP (or similar) VPN to run against a centralized LDAP user database?
Many thanks in advance,
Kokyu. |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue Oct 09, 2012 8:43 pm Post subject: |
|
|
Short answer: yes it is possible, the exact steps depend on the final setup. (or in other word, more information needed).
Longer answer: ldap authentication with openvpn works perfectly. I currently use pfSense on my border firewall to achieve that. (other (proprietary) products can achieve similar results)
what is your current setup (firewall or vpn concentrator wise)? Can it be used to terminate a vpn connection? Does it support ldap authentication?
If there no existing infrastructure available, I suggest you use a dedicated host (in the DMZ) to play to role of the vpn concentrator, and use some appliance grade OS. (it is perfectly possible to use (hardened) gentoo, but the less the box has installed the better).
Choosing the right 'vpn software' depends on the clients used, and the features required. My main reason for choosing openvpn is simplicity to integrate into network manager and the trust in the openssl library.
before adding more thoughts, I would need some addition information.
V.
If I may ask: how it this gentoo related? _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|